1*e4a36f41SAndroid Build Coastguard Workertypeattribute mediadrmserver coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(mediadrmserver) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# allocate and use graphic buffers 6*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(mediadrmserver, hal_graphics_allocator) 7*e4a36f41SAndroid Build Coastguard Workerauditallow mediadrmserver hal_graphics_allocator_server:binder call; 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Workertypeattribute mediadrmserver mlstrustedsubject; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Workernet_domain(mediadrmserver) 12*e4a36f41SAndroid Build Coastguard Workerbinder_use(mediadrmserver) 13*e4a36f41SAndroid Build Coastguard Workerbinder_call(mediadrmserver, binderservicedomain) 14*e4a36f41SAndroid Build Coastguard Workerbinder_call(mediadrmserver, appdomain) 15*e4a36f41SAndroid Build Coastguard Workerbinder_service(mediadrmserver) 16*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(mediadrmserver, hal_drm) 17*e4a36f41SAndroid Build Coastguard Worker 18*e4a36f41SAndroid Build Coastguard Workeradd_service(mediadrmserver, mediadrmserver_service) 19*e4a36f41SAndroid Build Coastguard Workerallow mediadrmserver mediaserver_service:service_manager find; 20*e4a36f41SAndroid Build Coastguard Workerallow mediadrmserver mediametrics_service:service_manager find; 21*e4a36f41SAndroid Build Coastguard Workerallow mediadrmserver processinfo_service:service_manager find; 22*e4a36f41SAndroid Build Coastguard Workerallow mediadrmserver surfaceflinger_service:service_manager find; 23*e4a36f41SAndroid Build Coastguard Workerallow mediadrmserver system_file:dir r_dir_perms; 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Worker# TODO(b/80317992): remove 26*e4a36f41SAndroid Build Coastguard Workerbinder_call(mediadrmserver, hal_omx_server) 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker### 29*e4a36f41SAndroid Build Coastguard Worker### neverallow rules 30*e4a36f41SAndroid Build Coastguard Worker### 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Worker# mediadrmserver should never execute any executable without a 33*e4a36f41SAndroid Build Coastguard Worker# domain transition 34*e4a36f41SAndroid Build Coastguard Workerneverallow mediadrmserver { file_type fs_type }:file execute_no_trans; 35*e4a36f41SAndroid Build Coastguard Worker 36*e4a36f41SAndroid Build Coastguard Worker# do not allow privileged socket ioctl commands 37*e4a36f41SAndroid Build Coastguard Workerneverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 38